"The NIS directive covers drinking water. Maybe we do one workshop on drinking water a year. Nothing more. This means we fulfil the regulation but we don't fulfil, obviously, maybe the expectation."

Without additional resources, the agency may need to take this 'bare minimum' approach with the tasks proposed under the new bill.

"We will fulfil everything which is in the [proposed] regulation. Full stop. But the regulation is very, let's say, 'generic'," said Helmbrecht.

He was speaking at a conference hosted by the European Economic and Social Committee (EESC), a Brussels-based EU body that offers advisory papers on proposed legislation on behalf of civil society.

The author of the draft EESC opinion, Alberto Mazzola, said that he had "doubts" that the increased budget matched the increase in tasks for the Greece-based agency, and that it should be assisted by other EU agencies.

When the European Commission proposed the regulation in September 2017, it itself admitted that Enisa "was not equipped with proportionally sufficient resources" and that it already had a "broad mandate".

Certificates but not checks

There are also other concerns with the proposed legislation.

The commission suggested that the EU set up a system for certification schemes, which could give stamps of approval on the level of cybersecurity of consumer products.

But the system would be voluntary, and national certification authorities would not be scrutinised by the EU.

It was a system of pan-EU certification but national – mostly non-existent – controls that in part led to the Dieselgate emissions scandal.

The EESC's Mazzola also saw that risk, and said that the EU commission should be able to ask Enisa to do audits of national certification authorities.

"If we are introducing certification schemes that are valid all around Europe, and you can get certification in each country, I think it's important that there is this sort of a right of overview and evaluation of activities," he told EUobserver after the event.

But he also said he would expect national governments to resist what they would see as giving up powers to the EU.

"The issue is very sensitive, also for national security," he noted.

Sovereignty

French and German lawmakers have already raised objections to parts of the proposal.

Citing national security and sovereignty, the German senate has objected to a pan-EU certification scheme which superseded national ones.

It said in a text adopted on 15 December 2017 that a complementary European scheme – instead of one that replaced national ones – could strengthen cybersecurity just as well.

The French senate complained that Enisa had "no expertise" to set up certification schemes.

France's national assembly meanwhile said in a motion adopted on 6 December that national authorities, and not Enisa, should remain "the primary guarantors of the protection of European citizens in this field".

On the same day, the Czech senate said Enisa "should primarily complement activities of the member states in the area of cybersecurity and should not be aimed at taking over their competences in this area".

The commission's justification for setting up a pan-EU certification system is that several mechanisms have popped up recently, leading to fragmentation in the internal market.

No donations

Enisa is one of the EU's smallest agencies, and funded mostly by the general EU budget.

The 2013 legal text which underpins Enisa's current mandate said any EU member state "should be allowed to make voluntary contributions".

"Since 2013 it's in the regulation. But no member state does it, full stop. We don't get any donation from the member states," pointed out executive director Helmbrecht.

, your membership gives you access to all of our stories. We highly appreciate your support and value your feedback. If you have any thoughts on this story, we would love to hear it.

Opinion

Some governments have closed their eyes, hoping that the menace will go away. It will not - it will only become stronger, according to the former prime minister of Estonia, one of the EU's leading digital states.

The success of the new general data protection regulation (GDPR) will depend on whether data protection authorities enforce the new rules - which, in turn, will be at least partly determined by how many people they employ.